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Amendments to the Claims 

1. (Currently Amended) A method comprising: 

after a secure tunnel has been created between a first endpoint and a 
second endpoint on a packet network which tunnel traverses at least one 
network address translator (NAT) that implements a heuristic methodology in 
translating addresses and/or port numbers, and which tunnel is operating under a 
secure protocol that is independent of whatever applications are running on the 
first and second endpoints, and before one or more packets containing 
application data are sent between the first and second endpoints, sending a 
control packet from a the first endpoint of a the tunnel through the tunnel to a the 
second endpoint of the tunnel; and 

waiting at the first endpoint for a responsive control packet through the 
tunnel from the second endpoint before sending packets oth e r than a contro l 
p a ck e t containing application data through the tunnel. 

2. (Cancelled) 

3. (Currently Amended) The method of claim 2 1 wherein the tunnel 
uses the IPSec security protocol suite. 

4. (Original) The method of claim 3 wherein the tunnel uses ESP in 
tunnel mode. 

5. (Cancelled). 

6. (Currently Amended) The method of claim § 1 wherein the first 
endpoint is a client and the second endpoint is a server. 

7. (Currently Amended) The method of claim § 1 wherein the NAT 
implements VPN Masquerade. 
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8. (Original) The method of claim 1 wherein the control packet is an 
ICMP echo request packet and the responsive control packet is an ICMP echo 
reply packet. 

9. (Original) The method of claim 3 wherein the tunnel is defined by an 
epoch, the epoch comprising one security association (SA) in each direction, 
each SA having a negotiated limited lifetime and defining the use of the ESP 
protocol in tunnel mode with negotiated authentication and/or encryption keys 
and with a security parameters index (SPI) chosen by the SA's destination. 

10. (Original) The method of claim 9 wherein before the end of tunnel's 
lifetime the endpoints establish a new tunnel between them. 

11. (Currently Amended) The method of claim 10 wherein a designated 
one of the endpoints o ndpoint has responsibility for establishing the new tunnel 
and ignores requests initiated by the other endpoint to establish a new tunnel. 

12. (Original) The method of claim 1 wherein the second endpoint waits 
for a packet from the first endpoint through the tunnel before using the tunnel to 
send any packets. 

13. (Currently Amended) The method of claim 1 wherein if the first 
endpoint does not receive any packets through the tunnel for a predetermined 
time interval then the first endpoint sends another control packet through the 
tunnel a control packet to the second endpoint. 

14. (Original) The method of claim 13 wherein if the first endpoint sends 
through the tunnel to the second endpoint a predetermined maximum number of 
control packets without receiving any packets through the tunnel then the first 
endpoint establishes a new tunnel to the second endpoint. 
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15. (Currently Amended) The method of claim 10 wherein if one of the 
endpoints an ondpoint is unable to complete the establishment of a new tunnel to 
the other endpoint before a predetermined time limit then that orie endpoint 
abandons establishment of that tunnel and starts establishing a new tunnel to the 
other endpoint . 

16. (Currently Amended) The method of claim 15 wherein if the one of 
the endpoints an e ndpo i nt successively fails to establish a new tunnel for more 
than a predetermined maximum number of times to the other endpoint then that 
one endpoint closes the connection currently being used to establish tunnels with 
the other endpoint and opens another such connection. 

17. (Original) The method of claim 16 wherein the connection used to 
establish tunnels between the endpoints is an IKE session. 

18. (Currently Amended) A computer readable media tangibly 
embodying a program of instructions executable by a computer to perform a 
method, the method comprising: 

after a secure tunnel has been created between a first endpoint and a 
second endpoint on a packet network which tunnel traverses at least one 
network address translator (NAT) that implements a heuristic methodology in 
translating addresses and/or port numbers, and which tunnel is operating under a 
secure protocol that is independent of whatever applications are running on the 
first and second endpoints, and before one or more packets containing 
application data are sent between the first and second endpoints, sending a 
control packet from a the first endpoint of a the tunnel through the tunnel to a the 
second endpoint of the tunnel; and 
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waiting at the first endpoint for a responsive control packet through the 
tunnel from the second endpoint before sending packets othor than a contro l 
pack e t containing application data through the tunnel. 

19. (Cancelled) 

20- (Currently Amended) The computer readable media of claim 4S 18 
where in the method the tunnel uses the IPSec security protocol suite. 

21. (Original) The computer readable media of claim 20 where in the 
method the tunnel uses ESP in tunnel mode. 

22. (Cancelled) 

23. (Currently Amended) The computer readable media of claim 22 18 
where in the method the first endpoint is a client and the second endpoint is a 
server. 

24. (Currently Amended) The computer readable media of claim 22 18 
where in the method the NAT implements VPN Masquerade. 

25. (Original) The computer readable media of claim 18 where in the 
method the control packet is an ICMP echo request packet and the responsive 
control packet is an ICMP echo reply packet. 

26. (Original) The computer readable media of claim 20 where in the 
method the tunnel is defined by an epoch, the epoch comprising one security 
association (SA) in each direction, each SA having a negotiated limited lifetime 
and defining the use of the ESP protocol in tunnel mode with negotiated 
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authentication and/or encryption keys and with a security parameters index (SPI) 
chosen by the SA's destination. 

27. (Original) The computer readable media of claim 26 where in the 
method before the end of tunnel's lifetime the endpoints establish a new tunnel 
between them. 

28. (Currently Amended) The computer readable media of claim 27 
where in the method a designated one of the endpoints endpo i nt has 
responsibility for establishing the new tunnel and ignores requests initiated by the 
other endpoint to establish a new tunnel. 

29. (Original) The computer readable media of claim 18 where in the 
method the second endpoint waits for a packet from the first endpoint through the 
tunnel before using the tunnel to send any packets. 

30. (Currently Amended) The computer readable media of claim 18 
where in the method if the first endpoint does not receive any packets through 
the tunnel for a predetermined time interval then the first endpoint sends another 
control packet through the tunnel a contro l pack e t to the second endpoint. 

31. (Original) The computer readable media of claim 30 where in the 
method if the first endpoint sends through the tunnel to the second endpoint a 
predetermined maximum number of control packets without receiving any 
packets through the tunnel then the first endpoint establishes a new tunnel to the 
second endpoint. 

32. (Currently Amended) The computer readable media of claim 27 
where in the method if one of the endpoints an endpo i nt is unable to complete 
the establishment of a new tunnel to the other endpoint before a predetermined 
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time limit then that one endpoint abandons establishment of that tunnel and 
starts establishing a new tunnel to the other endpoint . 

33. (Currently Amended) The computer readable media of claim 32 
where in the method if the one of the endpoints an ondpoint successively fails to 
establish a new tunnel for more than a predetermined maximum number of times 
to the other endpoint then that one endpoint closes the connection currently 
being used to establish tunnels with the other endpoint and opens another such 
connection. 

34. (Original) The computer readable media of claim 33 where in the 
method the connection used to establish tunnels between the endpoints is an 
IKE session. 



